Security of processing

Acra provides "state of the art" "security of processing" required in the article 32 of GDPR through providing data encryption and integrity check of the encrypted data.

> "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,..."

Also, the components of Acra allow encrypting data on the client's side, which enables secure transfer of the data in encrypted form through an untrusted channel.

Data protection by design and by default

The default settings of Acra are pre-configured in the most secure way to provide that exact "secure by default" state of the system. This is enabled through the default encryption settings for the data transfer between the Acra's components and the database ( SSL and Secure Session are used).

>"In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons."

Logging, Intrusion Detection, and Notification

Acra makes the communication with the users in case of a data breach easier because the data is encrypted (see Art 34 of GDPR):

> "The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption."

All the components of Acra are logging the requests/queries/events that take place within Acra. This provides the logs of everything that was happening in Acra in case of a security incident. Using the logs makes it easier to notify the supervisory authority and users about the exact details of a data breach (which complies with the articles 33 and 34 of GDPR). All the SQL queries to the database are logged in Acra by AcraCensor (Acra's firewall) with configurable verbosity.

Also, there is a special intrusion detection feature in Acra called " poison records". The poison records help to detect a massive data leak and perform a shutdown (or any other action specified by the administrator) of Acra's work (data encryption/decryption) if a poison record is detected in a query (which means there was a successful attempt at an unauthorized data access).